Wednesday, November 7, 2012

Every once in a while, a website would get hacked and user’s information and login credentials publicly revealed. Those who got burnt would scamper to change their passwords. If they are lucky they would get away with it, but sometimes they are not. Often disasters like these could be easily avoided by securing your account with two-factor authentication. What is two-factor authentication? Well, for the umpteenth time, two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token such as a card and the other is something that could be memorized such as a PIN or password. In the context of web services, the user’s cell phone becomes the physical token.

Not very long ago, Google’s Matt Cutts explained the ins and outs of two-factor authentication in the wake of an attack on a Gizmodo writer’s Google account. With two-factor authentication enabled, Google asks users for two verification. After you enter the password, you have to enter a second code that is sent to your mobile phone. This second step drastically reduces the chances of having your Google account stolen by someone else because the hackers would have to not only get your password and your username, they'd have to get a hold of your phone.

Unfortunately, two-factor authentication is not something that you can choose to use on a website. The website has to offer it, but a lot of them has started implementing it in recent times. Here are some services that support two-factor authentication (as of November 2012).

Google: One of the first websites to offer two-factor authentication. The additional layer of security works across all Google services including Gmail, Blogger, Calendar, Reader and the rest. Checkout Google’s support pages for more instruction.

Facebook: The biggest social networking website has been offering two-factor authentication since May last year. If you value your Facebook account, you should enable it right now. Instructions here.

PayPal: This is another service where two-factor authentication is a must because your PayPal account is connected to your credit card and bank. Aside from the usual SMS based authentication, PayPal offers an optional physical credit card sized security key that you can carry about you in your wallet. Read more about PayPal’s methods.

Dropbox: You can choose to receive verification code via SMS or run a mobile app on your device, just like Google. Users can use Google Authenticator (for Android/iPhone/BlackBerry), Amazon AWS MFA (for Android) and Authenticator (for Windows Phone 7) to generate codes. A special 16-digit backup code is also provided if you ever lose your phone or can't receive or generate a security code. Instructions here.

SpiderOak: This is another cloud storage provider and Dropbox competitor that offers two-factor authentication. Unfortunately, SpiderOak offers this feature only to paid users who reside in the US or Canada. More information here.

LastPass: If you use LastPass to manage and store your passwords for other sites, then two-factor authentication is absolutely important. LastPass uses the Google Authenticator app for Android, iOS and BlackBerry for authentication. Instructions here.

Microsoft: Two-factor authentication isn’t implemented for Outlook and Live accounts yet, but available on SkyDrive, XBox.com and billing.microsoft.com. Authentication codes are sent by SMS to your phone or an alternate email address. Read more about it here.

Yahoo Mail: You can enable two-factor authentication for your Yahoo account from the account management page (sign-in required). A verification code is sent as a text message to the mobile phone number saved on the account as only the legitimate user should have access to the code on the phone to complete the challenge question.

Amazon Web Services: Amazon Web Services supports two-factor authentication in the form of an RSA Token (AWS Virtual MFA) or using Google Authenticator. This is applicable to all Amazon Web Services including Amazon EC2 and Amazon S3. Find out more from here.

Wordpress: In WordPress, two-factor authentication can be implemented with the help of a plugin and enabled on a per-user basis. Wordpress also uses Google Authenticator for authentication.

Drupal: If you use Drupal as content management system for your website, then you can use this plugin instead. Authentication is provided via Google Authenticator. There is also a desktop application and mobile apps for Windows, Palm OS, and Java phones.

Dreamhost: Currently the only webhost to provide two-factor authentication. Like the rest, DreamHost offers this security option via the Google Authenticator app. Instructions here.

Blizzard: The online game company behind titles such as World of Warcraft and Diablo offers two-factor authentication to players who log in to these game using a Battle.net account. The authenticator application is a small program that you install and run on your cell phone. Read more about it here.

Aside from the above mentioned services, some banks also offer two-factor authentication. Check your bank’s website to find out if they support it.